World + dog can see original images, if they right-click on any image and remove the .preview or .thumbnail from the URL.

Oops. Workaround: run your site with low-quality "original" images.

That's with files set to private, after which the URL is example.com/system/files/images/whatever.

CommentFileSizeAuthor
#7 image-5.x.1.dev-165186_0.patch1.6 KBdrewish
#6 image-5.x.1.dev-165186.patch1.6 KBHetta
#4 image_165186.patch1.75 KBdrewish

Comments

drewish’s picture

drewish commented
Category: bug » support
Status: Active » Fixed

that's by design. you need to use private file transfers. you can enable those from admin/settings/file-system but beware that it will increase the load on your server.

Hetta’s picture

Hetta commented

Ah, but my files are set to private, under admin/settings/file-system .

I'd love to move this to the relevant core component, but don't know which that would be.

drewish’s picture

drewish commented
Category: support » bug
Status: Fixed » Active

my bad. looking at image_file_download() we don't do enough permissions checking.

drewish’s picture

drewish commented
Version: 5.x-1.x-dev » 6.x-1.x-dev
Status: Active » Needs work
StatusFileSize
new image_165186.patch1.75 KB

here's the patch I committed to HEAD for this. it'll need some re-working for the 1.x-dev branch.

drewish’s picture

drewish commented

marked http://drupal.org/node/140058 as a duplicate

Hetta’s picture

Hetta commented
Version: 6.x-1.x-dev » 5.x-1.x-dev
StatusFileSize
new image-5.x.1.dev-165186.patch1.6 KB

The HEAD patch as reworked for 5.x-1.x-dev.

drewish’s picture

drewish commented
Status: Needs work » Fixed
StatusFileSize
new image-5.x.1.dev-165186_0.patch1.6 KB

thanks! i swapped '_original' for IMAGE_ORIGINAL and committed it to DRUPAL-5.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)